New EU Cookie Law from 26th May – is your website legal ?

From 26th May 2012, new law states that all websites in the UK should ask all site visitors in advance for permission before storing “Cookies” on their PC. Failure to comply could result in a fine of up to a maximum of £500,000 for serious breaches.

The ICO (Information Commissioner’s Office), who are responsible for enforcing the law in the UK, have said they will take a dim view of organisations that fail to act before the deadline. ” Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.” – Information Commissioner, Christopher Graham

The law also requires that you tell your visitors to your website about your use of cookies or other tracking technologies, and how they can delete or control them.

In May 2011 a new amendment to the Privacy and Electronic Communications Regulations came into effect in the UK requiring that all websites ask visitors for consent to use web cookies in advance of storing them on a user’s equipment such as their computer or mobile device. The new law is intended to help protect people’s privacy. It has become commonly referred to as the “EU Cookie Law” but in actual fact, it covers all technologies as well as cookies which store information in what is formally known as the “terminal equipment” of a user.

Introduction in the UK was deferred for 12 months to give businesses time to implement a solution but now the deadline of 26th May 2012 is fast approaching. Indications are that the UK is currently the only EU country to have translated the EU directive into law so far.

The EU directive is somewhat difficult to interpret but it basically covers almost all types of cookies with very few exceptions. Nearly all websites use cookies, in fact some recent reports indicate this could be in the order of 92%. Cookies are used for remembering information about a visitors activity on web pages and are commonly used for login, remembering preferences, tracking visitors and more. They are however not normally used to store personal information.

The vast majority of small websites use cookies to track visitors to their website, using applications such as Google Analytics to track traffic and enable analysis so that the websites can be improved over time for better performance, content and user experience. Almost all web adverts are measured and targeted automatically using cookies, based on a user’s previous web browsing history. Cookies are also used for social media plugins such as Facebook “Like” buttons.

The new law pretty much prevents use of all of these Cookies entirely without prior permission so it will have a major impact on almost every website. To ask a visitor for permission to use Cookies when they first visit a web page (that is every page on the site until permission is given to store cookies), a website must interrupt their visitors with a pop-up for example which is not going to be popular and will definitely have a detrimental effect on usability. (Take a look at the ICO website for an example)

Websites could stop using cookies by disabling them all within the browser, but generally this means losing some functionality of the site which is not going to make the user experience so friendly and constant interruptions asking for permission on every page you visit will almost certainly lead to more visitors leaving the site rather than continuing to browse.

The solution that the UK ICO implemented on their website to conform with the new EU requirement, apparently resulted in approximately 90% drop in data gathered when they implemented it . This does not mean that they lost all that traffic, just that they could no longer monitor it so they cannot tell how much they actually lost as a result.

A recent survey of 55 major organisations by KPMG indicates that UK businesses generally appear to be rejecting or ignoring the new regulations. Data obtained one month before the regulations becomes law show that a 95% of the businesses surveyed claim they have not yet complied with new EU cookies law, despite offenders potentially facing fines of up to £500,000.

The ICO has stated “We have always been clear that organisations need to provide visitors to their website with enough information to enable individuals to make an informed choice on whether they wish for cookies to be placed on their device. How websites achieve this will depend on how their existing website currently uses cookies, there currently does not appear to be any single solution that can be implemented to allow compliance, however the ICO’s guidance aims to point websites in the right direction towards full compliance.”

International law firm, Pincet Masons, recently published a blog article on their Out-Law.com website (10 April 2012) reporting that the ICO had stated that they are unlikely to take action against the users of data analytics cookies on websites even if they fall foul of new EU rules on cookie consent. The ICO have also apparently said they will only enact financial penalties in cases that affect a large number of people which possibly suggests they will make examples of some of the more serious cases where it would be cost effective to pursue through the courts.

One major point that the legislation aims to improve on is educating people more about Cookies etc and how they are used. A company’s privacy policy typically should include information about the use of Cookies on a website. It is generally recommended that all websites should have a privacy policy included and be accessible (via a link) on every page. (Business Link had a very good privacy policy template you could use as a basis if you do not already have one).

Although there seem to be many articles being published on this subject, many give slightly different information or interpretations of the EU directive which will only lead to confusion and misunderstanding. The International Chamber Of Commerce have produced the ICC UK Cookie Guide to promote wide adoption of standard language in a hope that it will reduce the learning journey of users across websites.

So far, most businesses seem to be waiting for someone to come up with a simple solution to fix the problem or have just chosen to ignore it. There are some initial solutions available but at a price. Many have been hoping that the web browsers will resolve the issue but so far, they have apparently been very quiet on the subject. The UK Government has been talking with the browser manufacturers to see if browsers can be enhanced to give users easier access to settings and to make those settings as informative and easy to use as possible but so far, the Government has not released any details of how these discussions are progressing so it looks like we will have to wait and see if, and when, browser manufacturers are able to release updated versions of their products.

As you can see, this is quite a detailed issue and I apologise for the rather long article. I have included some useful references on the subject if you want to learn more. You should at least be aware of the issue and understand the implications even if you choose not to do anything about it.

This article is not a statement of the law and does not constitute legal advice. Website owners / operators are responsible for their own compliance strategies, depending on the cookies they use and the nature of the website. The author does not endorse any particular method for gaining website users’ consent.

Steve Wood owns and runs Scalar Enterprises based in Portsmouth in Hampshire. He offers a range of services including Web design, Internet marketing and search engine optimisation (SEO) to small businesses and SMEs in Hampshire and the surrounding areas.